Branching-Time Model-Checking of Probabilistic Pushdown Automata

INFINITY 2008

Branching-Time Model-Checking of Probabilistic Pushdown Automata Tom´asˇ Br´azdil1 V´aclav Broˇzek2 Vojtˇech Forejt3 Faculty of Informatics Masaryk University Brno, Czech Republic

Abstract In this paper we study complexity of the model-checking problem for probabilistic pushdown automata (pPDA) and qualitative fragments of two branching-time logics PCTL∗ and PECTL∗ . We prove that this problem is in 2-EXPTIME for pPDA and qualitative PCTL∗ . Consequently, we prove that model-checking of stateless pPDA (pBPA) and both qualitative PCTL∗ and qualitative PECTL∗ is 2-EXPTIME-hard. These results combined with results of several other papers give us that the model-checking problem for pPDA (and also for pBPA) and both qualitative PCTL∗ and qualitative PECTL∗ is 2-EXPTIME-complete. Finally, we survey known results on model-checking of pPDA and branching-time logics. Keywords: model-checking, Markov chains, temporal logics, probabilistic pushdown automata

1

Introduction

Model-checking is a popular verification method working as follows: Given a model of a system and a desired property expressed by a formula of a suitable logic, decide whether the system satisfies the formula. In this paper we consider this problem for systems modeled by discrete time Markov chains and properties expressed by formulae of branching-time probabilistic logics. The model-checking problem has been deeply studied for finite Markov chains (see, e.g., [15,9,2]). Several years ago model-checking of various kinds of infinite Markov chains was taken into consideration. The most prominent classes of infinite Markov chains studied in the context of model-checking are chains generated by probabilistic lossy channel systems (see, e.g., [3,1]), and two expressively equivalent classes of recurrent probabilistic systems: probabilistic pushdown automata [10,6] and recursive Markov chains [14,12,13]. In this paper we concentrate on model-checking of probabilistic pushdown automata (pPDA), and stateless pPDA (pBPA). 1 2 3

Email: [email protected] Email: [email protected] Email: [email protected]

This paper is electronically published in Electronic Notes in Theoretical Computer Science URL: www.elsevier.nl/locate/entcs

´ zdil, Broˇ Bra zek, and Forejt

Many temporal logics have been designed for specifying properties of Markov chains. In this paper we concentrate on two branching time temporal logics PCTL∗ and PECTL∗ . The logic PCTL∗ is a probabilistic variant of the well-known logic CTL∗ . The logic PECTL∗ generalizes PCTL∗ by substituting path subformulae with non-deterministic B¨uchi automata (it can also be seen as a probabilistic version of the logic ECTL∗ defined, e.g., in [8]). To give a complete picture of branching-time model-checking of pPDA, we also consider the logic PCTL which is a probabilistic variant of CTL. The main aim of this paper is to present complete complexity results on model-checking pPDA and qualitative fragments of PCTL, PCTL∗ and PECTL∗ (denoted qPCTL, qPCTL∗ and qPECTL∗ , resp.). This paper can be seen as a culmination of more than two years of intensive research (see, e.g., [10,6,14,12,13]). The first paper considering model-checking of pPDA was [10] where (among other results) decidability of model-checking of pPDA and qPCTL was proved. The paper [10] also introduced crucial tools for dealing with modelchecking of pPDA and showed that properties expressible using deterministic B¨uchi automata can effectively be verified for pPDA. The paper [10] was followed by [6] where the model-checking problem for pPDA and logics qPCTL, qPCTL∗ and qPECTL∗ was shown to be in EXPSPACE, 3-EXPSPACE, and 2-EXPSPACE, respectively. Moreover, the paper [6] proved undecidability of the model-checking problem for pPDA and (quantitative) PCTL (this problem still remains open for pBPA and PCTL), and also gave an EXPTIMElower bound on this problem for pBPA and qPCTL (the technique of this proof is based on unpublished observations of Richard Mayr). Consequently, results of Etessami and Yannakakis [12,13] on model-checking linear time properties of pPDA gave rise to an improvement of the upper bounds for qPCTL, qPCTL∗ and qPECTL∗ to EXPTIME, 3-EXPTIME, and 2-EXPTIME, respectively, presented in [5]. This showed that the model-checking problem for pPDA as well as pBPA and qPCTL is EXPTIME-complete. Matching bounds for qPCTL∗ and qPECTL∗ have not been established so far. Detailed complexity estimates presented in [5] reveal that the program complexity (i.e., the complexity in the size of pPDA when the formula is fixed) of model-checking pPDA (or pBPA) and each of the three logics above is in EXPTIME (or in P, resp.). On the other hand, in [4] Bozzelli proved that program complexity of model-checking non-probabilistic PDA and CTL is EXPTIME-hard. The proof of Bozzelli can easily be transformed to deal with pPDA and qPCTL by assigning arbitrary nonzero probabilities to transitions and by substituting path quantifiers A and E of CTL with P =1 and P >0 , respectively. Hence, the program complexity of the model-checking problem for pPDA and each of the logics qPCTL, qPCTL∗ and qPECTL∗ is EXPTIME-complete. Finally, the P-hardness of the program complexity of the model-checking problem for pBPA follows immediately from the P-hardness of the emptiness problem for context-free grammars. In this paper we complete the picture by proving the following results. •

The model-checking problem for pPDA and qPCTL∗ is in 2-EXPTIME. To prove this we extend techniques of [13] to show that the set of configurations satisfying a given qPCTL∗ formula is accepted by a finite state automaton computable in doubly exponential time.

•

Model-checking of pBPA and both qPCTL∗ and qPECTL∗ is 2-EXPTIME-hard. In the case of qPCTL∗ the proof combines techniques of [6] together with the technique used in [4] for showing 2-EXPTIME-hardness of model-checking non-probabilistic PDA 2

´ zdil, Broˇ Bra zek, and Forejt Table 1 branching-time model-checking of pPDA (combined)

pBPA pPDA

qPCTL

qPECTL∗

qPCTL∗

EXPTIME-complete EXPTIME-complete

2-EXPTIME-complete 2-EXPTIME-complete

2-EXPTIME-complete 2-EXPTIME-complete

Table 2 program complexity of branching-time model-checking of pPDA

pBPA pPDA

qPCTL

qPECTL∗

qPCTL∗

P-complete EXPTIME-complete

P-complete EXPTIME-complete

P-complete EXPTIME-complete

and CTL∗ . The proof for qPECTL∗ introduces new observations needed to deal with qPECTL∗ formulae. The above results complete the picture of complexity of the model-checking problem for pPDA as well as pBPA and the three logics qPCTL, qPECTL∗ and qPCTL∗ . These results are summarized in Table 1 (combined complexity) and Table 2 (program complexity).

2

Preliminaries

A (discrete) Markov chain is a triple M = (S, →, Prob) where S is a finite or countably infinite set of states, → ⊆ S × S is a transition relation, and Prob is a function which to each transition s → t of M assigns its probability Prob(s → t) ∈ (0, 1] so that for every P s ∈ S we have s→t Prob(s → t) = 1. x We also write s → t instead of Prob(s → t) = x. A path in M is a finite or infinite sequence w = s0 , s1 , . . . of states such that si → si+1 for every i. We denote wi the path si , si+1 , . . .. We use w(i) to denote the state si of w. A state t is reachable from a state s if there is a finite path starting in s and ending in t. A run is an infinite path. The set of all runs is denoted Run. The sets of all paths, finite paths and runs that start with a given finite path w are denoted Path(w), FPath(w) and Run(w), respectively. In particular, Run(s), where s ∈ S, is the set of all runs initiated in s. We are interested in probabilities of certain events associated with runs. To every s ∈ S we associate the probability space (Run(s), F, P) where F is the σ-field generated by all basic cylinders Run(w) where w ∈ FPath(s), and P : F → [0, 1] is the unique probability measure (see [17,16]) such that P(Run(w)) = Πm i=1 xi where w = s0 , . . . , sm xi and si−1 → si for every 1 ≤ i ≤ m (we put P(Run(s)) = 1). 2.1

Branching-Time Temporal Logics

We start with a definition of the temporal logic PCTL∗ . The syntax of PCTL∗ state and path formulae Φ and ϕ, resp., is given by the following abstract syntax equations. Φ ::= a | ¬Φ | Φ1 ∧ Φ2 | P ∼% ϕ ϕ ::= Φ | ¬ϕ | ϕ1 ∧ ϕ2 | X ϕ | ϕ1 U ϕ2 Here a ranges over a countably infinite set Ap of atomic propositions, % ∈ [0, 1], and ∼ ∈ {≤, , =}. 3

´ zdil, Broˇ Bra zek, and Forejt

Standard abbreviations tt, ∨ and ⇒ from the propositional logic are used, moreover 3ϕ ≡ tt U ϕ and 2ϕ ≡ ¬3¬ϕ. The logic PCTL is a fragment of PCTL∗ where path formulae are given by the equation ϕ ::= X Φ | Φ1 U Φ2 . In order to define the logic PECTL∗ we need the notion of a B¨uchi automaton. A B¨uchi automaton is a tuple B = (B, Σ, →, qI , F ), where Σ is a finite alphabet, B is a finite set of a states, → ⊆ B × Σ × B is a transition relation (we write q → q 0 instead of (q, a, q 0 ) ∈ →), qI is the initial state, and F ⊆ B is a set of accepting states. The automaton B accepts a word w ∈ Σω if there exists a sequence q0 , q1 , . . . of states of B such that q0 = qI , for all w(i)

i ≥ 0 we have qi → qi+1 , and some state of F occurs infinitely many times in q0 , q1 , . . .. We denote L(B) the set of all words accepted by B. The size of the automaton B is defined to be | → |. The logic PECTL∗ has only state formulae with the following syntax: Φ ::= a | ¬Φ | Φ1 ∧ Φ2 | P ∼% B(Φ1 , . . . , Φn ) Here n ≥ 1, B is a B¨uchi automaton over an alphabet Σ ⊆ 2{1,...,n} , and each Φi is a PECTL∗ formula. The semantics of PCTL∗ formulae is defined as follows. Let M = (S, →, Prob) be a Markov chain and let ν : Ap → 2S be a valuation. State formulae are interpreted over S, and path formulae are interpreted over Run. Hence, for a given s ∈ S and w ∈ Run we define s |=ν s |=ν s |=ν s |=ν

a ¬Φ Φ1 ∧Φ2 P ∼% ϕ

iff iff iff iff

w w w w w

s ∈ ν(a) s 6|=ν Φ s |=ν Φ1 and s |=ν Φ2 P({w∈ Run(s) | w|=ν ϕ})∼%

|=ν |=ν |=ν |=ν |=ν

Φ ¬ϕ ϕ1 ∧ϕ2 Xϕ ϕ1 U ϕ2

iff iff iff iff iff

w(0) |=ν Φ w 6|=ν ϕ w |=ν ϕ1 and w |=ν ϕ2 w1 |=ν ϕ ∃j ≥ 0 : wj |=ν ϕ2 and wi |=ν ϕ1 for all 0≤i<j

The semantics of a PECTL∗ formula Φ = P ∼% B(Φ1 , . . . , Φn ) is defined as follows: First, we can assume that the semantics of the PECTL∗ formulae Φ1 , . . . , Φn has already been defined. This means that for each w ∈ Run we can define an infinite word wΦ over the alphabet 2{1,...,n} by wΦ (i) = {k ∈ {1, . . . , n} | w(i) |=ν Φk } for all i ≥ 0. For every state s, let Run(s, Φ) = {w ∈ Run(s) | wΦ ∈ L(B)}. We stipulate that s |=ν Φ if and only if P(Run(s, Φ)) ∼ %. The logic PECTL∗ is more expressive than PCTL∗ . Indeed, using standard algorithms for conversion of LTL formulae to B¨uchi automata we can assign to every PCTL∗ state formula Φ a semantically equivalent PECTL∗ formula of size exponential in |Φ|. The qualitative fragments of PCTL, PCTL∗ , and PECTL∗ , denoted qPCTL, qPCTL∗ , and qPECTL∗ , resp., are obtained by restricting the allowed operator/number combinations in P ∼% ϕ and P ∼% B(Φ1 , . . . , Φn ) subformulae to ‘=0’ and ‘=1’. (Observe that ‘0’ are definable from ‘=0’, ‘=1’, and negation.) The model-checking problem for the above logics is stated as follows. Given a state s0 of M , a valuation ν, and a state formula Φ, does s0 |=ν Φ hold?

2.2

Probabilistic PDA

A probabilistic PDA (pPDA) is a tuple ∆ = (Q, Γ, δ, Prob) where Q is a finite set of control states, Γ is a finite stack alphabet, δ ⊆ Q×Γ×Q×Γ≤2 (where Γ≤2 = {α ∈ Γ∗ , |α| ≤ 2}) 4

´ zdil, Broˇ Bra zek, and Forejt

is a transition relation, and Prob is a function which to each transition pX → qα assigns a rational probability Prob(pX → qα) ∈ (0, 1] so that for all p ∈ Q and X ∈ Γ we have P that pX→qα Prob(pX → qα) = 1. x

In the rest of this paper we write pX → qα instead of (p, X, q, α) ∈ δ, and pX → qα instead of Prob(pX → qα) = x. We also assume that for each pX ∈ Q × Γ there is at least one qα such that pX → qα. The set Q × Γ∗ of all configurations of ∆ is denoted by C(∆). Given a configuration pXα, we call pX its head (a head of pε is p). We denote pBPA the class of all pPDA with just one control state. In what follows, configurations of pBPA are usually written without the control state (i.e., we write only α instead of pα). To ∆ we associate the Markov chain M∆ where C(∆) is the set of states and the transitions are determined as follows: 1

•

pε → pε for each p ∈ Q (here ε denotes the empty stack);

•

pXβ → qαβ is a transition of M∆ if and only if pX → qα is a transition of ∆.

x

x

For every pXα ∈ C(∆), where X ∈ Γ, a run initiated in pXα is clean if it does not reach a configuration qα for q ∈ Q. We denote Clean(pXα) ⊆ Run(pXα) the set of all clean runs. We define regular sets of configurations. Let A be a deterministic finite state automaton (DFA) with the alphabet Q ∪ Γ. We put C(A) := {pα ∈ C(∆) | reverse of pα is in A} the set of configurations accepted by A. A set C ⊆ C(∆) is regular if there is a DFA A such that C = C(A). Further, a set C ⊆ C(∆) is called simple iff for every configuration pα the membership of pα to C depends only on the head of pα.

3

The Results

In this section we justify the results presented in Table 1 and Table 2. Virtually, all modelchecking problems for pPDA are undecidable provided no restriction is imposed on valuations. Therefore, we restrict our attention to regular valuations which assign regular sets of configurations to atomic propositions. Similarly, a simple valuation assigns a simple set to every atomic proposition. 3.1

Upper Bounds

A complete proof of the following theorem is presented in [5]. (However, no part of this theorem has been published elsewhere so far.) Theorem 3.1 ([5]) The model-checking problem for pPDA and the logics qPCTL and qPECTL∗ is in EXPTIME and 2-EXPTIME, respectively. The program complexity of model-checking pPDA (or pBPA) and each of the logics qPCTL, qPCTL∗ and qPECTL∗ is in EXPTIME (or in P, resp.). The only missing result is a tight upper bound on model-checking pPDA and qPCTL∗ ([5] provides only 3-EXPTIME upper bound which is not tight). Theorem 3.2 The model-checking problem for pPDA and qPCTL∗ is in 2-EXPTIME. The rest of this subsection is devoted to the proof of Theorem 3.2. Let us fix a pPDA ∆ = 5

´ zdil, Broˇ Bra zek, and Forejt

(Q, Γ, →, Prob). Since P =0 (ϕ) ≡ P =1 (¬ϕ) we consider qPCTL∗ formulae containing only P =1 . First, we consider formulae of the form P =1 ϕ where ϕ is an LTL formula (i.e., all state subformulae of ϕ are atomic propositions). Lemma 3.3 Let ν be a simple valuation. There is a DFA A such that pα |=ν P =1 ϕ iff pα ∈ C(A). Assuming that the set S∆ = {pX ∈ Q × Γ | P(Clean(pX)) > 0} is known O(|ϕ|) in advance, the automaton A is computable in time 2|Q|·2 · |∆|O(1) . Proof (sketch). We begin with some notation adopted from [13]. Let us denote Cl (ϕ) the set of all subformulae of ϕ. To every run w of ∆ we assign its type type(w) ⊆ Cl (ϕ) such that ψ ∈ type(w) iff w |=ν ψ. Consider a run w = v w0 where v is a finite path and w0 is a run with a type t0 . Observe that t0 and v uniquely determine the type of w. We denote type(v, t0 ) the type determined by v and t0 . Now we formally define the automaton A. Let A = (K, Σ, γ, P0 , F ) where Cl(ϕ)

•

K = 2Q×2

•

Σ = Γ ∪ Q is the input alphabet;

is the set of states;

•

The transition function γ is defined as follows: · for all X ∈ Γ: γ(P, X) consists of all (p, t) ∈ Q × 2Cl(ϕ) such that at least one one of the following conditions holds (i) runs of Clean(pX) have the type t with nonzero probability (ii) there is (q, t0 ) ∈ P and a path v from pX to qε such that type(v, t0 ) = t · for all p ∈ Q: γ(P, p) = ∅ if for all (p, t) ∈ P we have ϕ ∈ t; and γ(p, t) = Q×2Cl(ϕ) otherwise (an arbitrary non-empty set would suffice).

•

The initial state P0 ⊆ Q × 2Cl(ϕ) consists of all pairs (p, t) where p ∈ Q and t is the unique type of the run (pε)ω .

•

The set of accepting states F = {∅}.

We call a type t probable for pα ∈ C(∆) if a run from Run(pα) has the type t with nonzero probability. Intuitively, the automaton reads the stack bottom up. After reading the reverse of a stack content α ∈ Γ∗ , the automaton A enters a state P where (p, t) ∈ P iff t is probable for pα. Finally, being in the state P (after reading reverse of α) and reading a control state p ∈ Q, the automaton A accepts iff ϕ ∈ t for every type t probable for pα. This means that ϕ is satisfied almost surely by a run initiated in pα. To compute γ we show that both conditions (i) and (ii) can be decided in time O(|ϕ|) 22 · |∆|O(1) . A deeper analysis of the LTL model-checking algorithm of [13] reveals that it decides whether an LTL formula is satisfied with a given probability on the condition that the stack is never erased. This is achieved by computing all types t such that a clean run has type t with nonzero probability. We need exactly this to decide the condition (i). The O(|ϕ|) algorithm runs in time 22 · |∆|O(1) . To decide the condition (ii), we have to decide whether for a given (q, t0 ) ∈ P there is a path v from pX to qε such that type(v, t0 ) = t. This problem can be reduced to the reachability problem for non-probabilistic PDA using a procedure described in [13], which runs in time exponential in |ϕ| and polynomial in |∆|. This reduction and the results of [11] give an algorithm for deciding (ii) running in time 2O(|ϕ|) · |∆|O(1) . Now the overall complexity of computing A is easy to compute. 2 Till now we assumed valuations of atomic propositions to be simple. Using standard methods (see, e.g., [5]) one can extend the above results to regular valuations. Let us fix a 6

´ zdil, Broˇ Bra zek, and Forejt

regular valuation ν. Let a1 , . . . , ak be all atomic propositions occurring in ϕ (we are still working with a formula P =1 ϕ where ϕ is an LTL formula) and let us assume that for each 1 ≤ i ≤ k there is a DFA Ai accepting ν(ai ). Denote K1 , . . . , Kk the sets of states of A1 , . . . , Ak , respectively. The following corollary can easily be proved using techniques presented in [5, Section 4.5]. Corollary 3.4 There is a deterministic finite state automaton A such that pα |=ν P =1 ϕ iff pα ∈ C(A). Assuming that S∆ is known in advance, the automaton A is computable in Q O(|ϕ|) O(|ϕ|) Qk time (2|Q|·2 · |∆| · |ϕ| · ki=1 |Ki |)O(1) and has 2|Q|·2 · i=1 |Ki | states. Proof of Theorem 3.2 First, we introduce some notation. To every qPCTL∗ state formula τ we assign sets Sub(τ ) and Ap(τ ) of all subformulae of the form P ∼% ψ and of all atomic propositions, respectively. To get correct complexity bounds we assume w.l.o.g. that each atomic proposition has at most one occurrence in τ . In what follows, we assume that the set S∆ = {pX ∈ Q × Γ | P(Clean(pX)) > 0} has already been computed. The set S∆ can be computed in PSPACE (see, e.g., [5]), and thus computing S∆ does not affect the overall complexity. Now, it suffices to prove the following claim: For any qPCTL∗ formula τ and a regular valuation ν there is a DFA Aτ such that for all pα ∈ C(∆) holds pα ∈ C(Aτ ) iff Q O(1) O(|τ |) |A | and pα |=ν τ . The automaton Aτ is computable in time 2|∆|·2 · ψ ψ∈Ap(τ ) Q Q O(|ψ|) · ψ∈Ap(τ ) |Aψ | states. has ψ∈Sub(τ ) 2|Q|·2 We proceed by induction on the structure of τ . For atomic propositions the statement is obvious. For boolean connectives it follows from closure properties of regular languages. Let τ ≡ P =1 ϕ with ψ1 , . . . , ψk being maximal state subformulae of ϕ. We replace all occurrences of ψi in ϕ with an atomic proposition ai , 1 ≤ i ≤ k, and obtain an LTL formula ψ. Then we define a regular valuation ν 0 assigning C(Aψi ) to every ai . Now, 0 Corollary 3.4 gives us a DFA A where pα ∈ C(A) iff pα |=ν P =1 ψ iff pα |=ν P =1 ϕ. The complexity estimates follow using arguments similar to those given in the discussion preceding Theorem 5.3.2 of [5]. 2 3.2

Lower Bounds

It was proved in [4] that model-checking non-probabilistic PDA and CTL∗ is 2-EXPTIMEcomplete. We show that this lower bound is valid also for pBPA and both qPCTL∗ and qPECTL∗ . Formally, we prove the following theorem. Theorem 3.5 The model-checking problem for pBPA and both qPCTL∗ and qPECTL∗ is 2-EXPTIME-hard. Proof (sketch). We proceed by reduction from the 2-EXPTIME-complete acceptance problem for alternating exponentially space bounded Turing machines [7]. An alternating exponentially bounded Turing machine is a tuple M = (Q, K, J, q0 , `, a, #, δ, P ) where Q is a finite set of control states, K is a finite input alphabet, J ⊇ K is a finite tape alphabet, q0 ∈ Q is the initial state, `, a ∈ J are markers of the left-hand and right-hand side of a tape, # ∈ J is an empty symbol, δ : Q × J → 2Q×J×{L,R} is a transition function, and P = (Q∀ , Q∃ , Qacc , Qrej ) is a partition of Q into universal, existential, accepting and rejecting states, respectively. W.l.o.g. we assume that Q ∩ J = ∅, q0 ∈ Q∃ and δ(q, a) has exactly two elements (q1 , a1 , D1 ), (q2 , a2 , D2 ) for all q, a, where D1 6= D2 and q1 6= q2 . 7

´ zdil, Broˇ Bra zek, and Forejt

A configuration of M consists of a control state together with a position of the head on the tape and a word w ∈ J ∗ such that |w| = 2rj where r is a constant, j > 1 is the size of the input word and w(0) = ` and w(2rj − 1) = a. We write configurations as words vqv 0 ∈ (Q ∪ J)∗ where vv 0 is the content of the tape, q is a control state and |v| is the position of the head (i.e., the machine reads the first letter of v 0 ). A configuration vqv 0 is accepting if q ∈ Qacc . A computation tree on an input word v ∈ K ∗ is a tree T satisfying the following: The root of T is labeled by the initial configuration q0 `v#i a where i = 2r|v| − |v| − 2, and if N is a node labeled by a configuration with a control state q, then the following holds: •

if q is accepting or rejecting, then N is a leaf;

•

if q is existential, then N has one successor labeled by a configuration reachable from the configuration of N in one step;

•

if q is universal, then N has two successors which are labeled by both configurations reachable from the configuration of N in one step.

We can safely assume that all computation trees of M are finite. A computation tree is accepting if all its leaves are labeled by accepting configurations. The machine M accepts v if there is an accepting computation tree on the input word v. For a given M and an input word v we construct a pBPA ∆ = (Γ, →, P rob), a configuration σ ∈ Γ∗ and a formula Φ, such that σ |=ν Φ iff v is accepted by M. We use the symbols from Γ as atomic propositions and define ν to be the simple valuation assigning the set {X}Γ∗ to each proposition X. We put n = r|v|. Let us denote m = 2n − 2. We use the fact that one can effectively compute a set of compatible hex-tuples CompL (M) ⊆ (J ∪ Q)6 such that for all configurations ω and ω 0 of M we have that ω 0 is reachable from ω in one step while moving head to left iff (ω(i), ω(i + 1), ω(i + 2), ω 0 (i), ω 0 (i + 1), ω 0 (i + 2)) ∈ CompL (M) for all 0 ≤ i ≤ m. Similarly, we define CompR (M) for moving head to right and Comp(M) = CompL (M) ∪ CompR (M). Intuitively, the pBPA ∆ simulates the depth first search on a computation tree by guessing configurations on its stack as sequences of triples. Each configuration ω is represented by a sequence [ym ], [ym−1 ], . . . , [y0 ] where yi = ω(i)ω(i + 1)ω(i + 2) for 0 ≤ i ≤ m. Whenever a new configuration is guessed, the pBPA ∆ checks whether two triples on the same position in two adjacent configurations form a compatible hex-tuple. To deal with exponentially many triples in each configuration, we adopt the construction of [4]. The idea is based on encoding the position of each triple using n binary counters. Formally, the set Γ consists of all [y] where y ∈ (J ∪ Q)3 and distinguished symbols G, F , A, L, R, E, T , H, 0 and 1. The transition relation → is defined as follows: H → H[#3 ]c | G[y]0n E [y] → ε | T 0→ε F →ε

G → G[y]0n L | G[y]0n E | G[y]c | A | F R→ε|F 1→ε A→ε

L → G[y]0n R | F E→ε|F T →ε

Here, c denotes a word from {0, 1}n . Note that the rules H → H[#3 ]c and G → G[y]c are in fact abbreviations for families of rules that guess c on the top of the stack symbol by symbol and then add H[#3 ] and G[y], respectively, on the top. Also, each rule with the right-hand side longer than two symbols can be decomposed into several rules with right-hand sides of length at most two. 8

´ zdil, Broˇ Bra zek, and Forejt

In the following text, we use ck ∈ {0, 1}n to denote the binary representation of the number k. Let [ym ], [ym−1 ], . . . , [y0 ] be the sequence of triples encoding the initial configuration of M. By PConf we denote the set of all finite words of the form [y]c[y 0 ]c0 . . ., i.e., sequences of triples followed by numbers. Let us consider a run w of ∆ initiated in σ = H[yn ]cn . . . [y0 ]c0 satisfying the following properties: (i) w reaches ε and never enters F ; (ii) each configuration of w with the head U ∈ {G, H} is either of the form U [y]ck [y 0 ]ck−1 γ, where k ≤ m, or U [y]c0 X[y 0 ]cm γ where X ∈ {L, R, E}; (iii) each configuration of w starting with G has the form G[y]ck αXβ[y 0 ]ck γ where 0 ≤ k ≤ m, X ∈ {L, R, E}, α, β ∈ PConf , and (y, y 0 ) is from CompL (M), CompR (M) or Comp(M), depending on whether X = L, X = R or X = E; (iv) each configuration of w with the head A can be written as Aα[y]β where α ∈ PConf and y contains q ∈ Qacc . It is easy to prove that w uniquely corresponds to a depth-first search on some accepting computation tree of M. Observe that ∆ is forced, by the property (ii), to first reach H[ym ]cm . . . [y0 ]c0 , and then to simulate an accepting computation of M from the initial configuration encoded by [ym ], . . . , [y0 ]. We define the formula Φ as follows 
 Φ ≡ P >0 3ε ∧ ¬3F ∧ 2 ((G ∨ H) ⇒ Counter) ∧ (G ⇒ Check) ∧ (A ⇒ Acc) Intuitively, Φ should assure that there is a run satisfying conditions (i)–(iv). It can be easily formulated in qPECTL∗ , provided that Counter, Check and Acc are qPECTL∗ formulae. In the rest of this proof we define the formulae Counter, Check, and Acc to assure the conditions (ii), (iii), and (iv), respectively. Let us start with Check. Although the condition (iii) can be expressed straightforwardly using qPCTL∗ formula, the logic qPECTL∗ demands more careful approach. In order to avoid an exponential blow-up in the size of the formula we express negation of the condition (iii) and consequently negate the formula. Let Gγ be a configuration which does not satisfy (iii) and is reachable from H[yn ]cn . . . [y0 ]c0 . All runs w initiated in Gγ can be classified as follows (here h[w] = head (w(0)) head (w(1)) . . . is the string of heads of configurations of w): •

h[w](1) 6= F , or h[w] starts with GF [y]T ;

•

h[w] starts with GF [y]cαXz where X ∈ {L, R, E}, α ∈ (Γ\{L, R, E})∗ , and z 6= F ;

•

h[w] starts with GF [y]cαXα0 X 0 where X, X 0 ∈ {L, R, E}, α ∈ (Γ\{L, R, E})∗ , and α0 ∈ (Γ\{T, L, R, E})∗ ;

•

h[w] starts with GF [y]cαXF α0 [y 0 ]T c0 where X ∈ {L, R, E}, α ∈ (Γ\{L, R, E})∗ , α0 ∈ (Γ\{T, L, R, E})∗ , and one of the following holds: · c 6= c0 ; · ([y], [y 0 ]) is not from CompL (M), CompR (M) or Comp(M) depending on whether X = L, X = R or X = E.

Note that for each of the above cases the set of all words h[w] is accepted by a nondeterministic B¨uchi automaton computable in polynomial time. Now we define Check = ¬P =1 (BCheck (Y1 , . . . , Yk )) where Γ = {Y1 , . . . , Yk } and the automaton BCheck nondeterministically guesses which one of the above cases occurs and then verifies it (note that 9

´ zdil, Broˇ Bra zek, and Forejt

always precisely one of Y1 , . . . , Yk is satisfied, and hence we may assume that transitions of BCheck are labeled with letters of Γ). Now we define Counter. Let U ∈ {G, H} and let U γ be a configuration which does not satisfy (ii). All runs w from U γ can be classified as follows (here X ∈ {L, R, E}): •

h[w](1) 6= F , or h[w] starts either with U F [y]T , or U F [y]c[y 0 ]T , or U F [y]cXF [y 0 ]T ;

•

h[w] starts with U F [y]ck XF [y 0 ]cm where k 6= 0;

•

h[w] starts with U F [y]ck [y 0 ]c` where ` = m or k 6= ` + 1.

Clearly, a B¨uchi automaton BCounter accepting the set of all words h[w] satisfying the above conditions is computable in polynomial time. We define Counter = ¬P =1 (BCounter (Y1 , . . . , Yk )). Finally, let us define Acc = P >0 (BAcc (Y1 , . . . , Yk )) where the automaton BAcc accepts all words of the form Aα[y]β where α ∈ PConf and [y] contains q ∈ Qacc . The automaton BAcc can easily be constructed in polynomial time. It is straightforward to verify that formulae Counter, Check and Acc can also be defined in qPCTL∗ . 2

References [1] P.A. Abdulla, C. Baier, S.P. Iyer, and B. Jonsson. Reasoning about probabilistic channel systems. In Proceedings of CONCUR 2000, vol. 1877 of LNCS, pp. 320–330. Springer, 2000. [2] C. Baier. On the Algorithmic Verification of Probabilistic Systems. Habilitation, Universit¨at Mannheim, 1998. [3] C. Baier and B. Engelen. Establishing qualitative properties for probabilistic lossy channel systems: an algorithmic approach. In Proceedings of 5th International AMAST Workshop on Real-Time and Probabilistic Systems (ARTS’99), vol. 1601 of LNCS, pp. 34–52. Springer, 1999. [4] Laura Bozzelli. Complexity results on branching-time pushdown model checking. In E. Allen Emerson and Kedar S. Namjoshi, editors, Proceedings of VMCAI, vol. 3855 of Lecture Notes in Computer Science, pp. 65–79. Springer, 2006. [5] T. Br´azdil. Verification of Probabilistic Recursive Sequential Programs. PhD thesis, Faculty of Informatics, Masaryk University, 2007. [6] T. Br´azdil, A. Kuˇcera, and O. Straˇzovsk´y. On the decidability of temporal properties of probabilistic pushdown automata. In Proceedings of STACS’2005, vol. 3404 of LNCS, pp. 145–157. Springer, 2005. [7] Ashok K. Chandra, Dexter Kozen, and Larry J. Stockmeyer. Alternation. J. ACM, 28(1):114–133, 1981. [8] M. Dam. Ctl* and ectl* as fragments of the modal mu-calculus. Theoretical Computer Science, 126:77–96, 1994. [9] L. de Alfaro. Temporal logics for the specification of performance and reliability. In Proceedings of STACS’97, vol. 1200 of LNCS, pp. 165–176. Springer, 1997. [10] J. Esparza, A. Kuˇcera, and R. Mayr. Model-checking probabilistic pushdown automata. In Proceedings of LICS 2004, pp. 12–21. IEEE, 2004. [11] J. Esparza, A. Kuˇcera, and S. Schwoon. Model-checking LTL with regular valuations for pushdown systems. I&C, 186(2):355–376, 2003. [12] K. Etessami and M. Yannakakis. Algorithmic verification of recursive probabilistic systems. In Proceedings of TACAS 2005, vol. 3440 of LNCS, pp. 253–270. Springer, 2005. [13] K. Etessami and M. Yannakakis. Checking LTL properties of recursive Markov chains. In Proceedings of 2nd Int. Conf. on Quantitative Evaluation of Systems (QEST’05), pp. 155–165. IEEE, 2005. [14] K. Etessami and M. Yannakakis. Recursive Markov chains, stochastic grammars, and monotone systems of non-linear equations. In Proceedings of STACS’2005, vol. 3404 of LNCS, pp. 340–352. Springer, 2005. [15] H. Hansson and B. Jonsson. A logic for reasoning about time and reliability. Formal Aspects of Computing, 6:512–535, 1994. [16] J. G. Kemeny and J. L. Snell. Finite Markov Chains: With a New Appendix ”Generalization of a Fundamental Matrix”. Springer, first edition, 1983. [17] J. G. Kemeny, J. L. Snell, A. W. Knapp, and D.S. Griffeath. Denumerable Markov Chains. Springer, second edition, 1976.

10